FTPeS (Working Solution on Debian with Virtualmin/Webmin)

6 posts / 0 new
Last post
#1 Fri, 08/09/2013 - 10:17
jimdunn

FTPeS (Working Solution on Debian with Virtualmin/Webmin)

FTPeS (aka "explicit FTP over TLS"; used to be "over SSL" but as you know TLS now replaces SSL)

First let me say I am in great debt to the makers of Virtualmin/Webmin/Usermin... much thanks!!

Now, on to FTPeS!

There are several flavors of FTP, but the current supported encrypted FTP is called FTPeS (Explicit FTP over TLS)

Note that you *CAN* run both SFTP (SSH) and FTPeS (FTP) at the same time, no conflicts

The only problem I had with FTPeS was that my ISP has an older "shared firewall" and could not support my FTPeS configuration, so I asked that they move me outside their shared firewall, which required they give me new IP addresses (I run my own firewall)

ProFTP has a good page on how to configure FTPeS at http://www.proftpd.org/docs/howto/TLS.html

Or you could google for it at https://www.google.com/search?q=how+configure+explicit+ftp+over+tls

I run Virtualmin GPL on Debian 6 (haven't upgraded to Debian 7 yet, am waiting for the dust to settle)

1) if you don't have ProFTPd and OpenSSL installed, you'll need them

[bash #] apt-get install proftpd openssl
(if you are asked, select "standalone" for proftpd)

2) edit /etc/proftpd/proftpd.conf and make sure of the following

Include /etc/proftpd/tls.conf

PassivePorts 59000 59999

<Global>
DefaultRoot ~
RootLogin off
IdentLookups off
ServerIdent on "FTP Server ready."
UseFtpUsers on
RequireValidShell on
</Global>

3) edit /etc/proftpd/tls.conf

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv3 TLSv1
TLSRSACertificateFile /etc/proftpd/ftpd-rsa.pem
TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
TLSVerifyClient off
TLSRenegotiate required off
#TLSRequired on
TLSOptions AllowClientRenegotiations NoCertRequest NoSessionReuseRequired
</IfModule>

(if you require TLS, then normal FTP will be blocked)

4) generate 10 year self-signed certs

[bash #] openssl req -new -x509 -days 3650 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem
[bash #] chmod 600 ftpd-rsa-key.pem

5) restart ProFTPd

[bash #] /etc/init.d/proftpd restart

6) test locally

[bash #] openssl s_client -connect 127.0.0.1:21 -starttls ftp
quit

If you get a "Session-ID" then it worked.

Fri, 08/09/2013 - 11:51
Locutus

Nice how-to!

Let me make the comment that the Virtualmin default installation on (at least) Ubuntu 12 installs ProFTPD and has an example tls.conf file in place with most of the contents of your tutorial, just commented out.

Fri, 08/09/2013 - 14:42
jimdunn

Yep, true, there's a TLS.CONF file, but it's a bit old, I know that the "TLSProtocol" line needed to be updated:

OLD: TLSProtocol SSLv23

NEW: TLSProtocol SSLv3 TLSv1

Thx!!

Fri, 08/09/2013 - 18:14
Locutus

Yep you're right there!

Sun, 03/16/2014 - 11:30
Palewolf

I don't know about Debian (or Debian-based distros), but on CentOS (or most Red Had-based distros), you only need to add -DTLS to /etc/sysconfig/proftpd and place the certificate in /etc/pki/tls/certs/proftpd.pem

Now, you could generate a new certificate for ProFTP, but i find a lot easier to manage to just ln -s the certfificate Webmin uses, so i just ln -s /etc/webmin/miniserv.pem /etc/pki/tls/certs/proftpd.pem

Mon, 10/05/2015 - 07:45
jimdunn

Quick update, the /etc/proftpd/tls.conf file should be updated to remove SSLv3:

TLSProtocol TLSv1

Also, in case you have trouble with the cipher suite:

TLSCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH